feg'dl PGWT© 14 APR 2005 



Europaisches 
Patentamt 



European 
Patent Office 



Office europeen 
des brevets 



531616 

PCT /'B03/ 0 4 6 0 8 
— t 0. II. 03 



Bescheinigung Certificate 




Attestation 



Die angehefteten Unterla- 
gen stimmen mit der 
ursprflnglich eingerelchten 
Fassung der auf dem ndch- 
sten Blatt bezeichneten 
europdischen Patentanmel- 
dung Qberein. 



The attached documents 
are exact copies of the 
European patent application 
described on the following 
page, as originally filed. 



Les documents fix£s a 
cette attestation sont 
conformes a la version 
initialement depos^e de 
la demande de brevet 
europeen sp6cifi6e a la 
page suivante. 



Patentanmeldung Nr. Patent application No. Demande de brevet n° 

02257275.4 



PRIORITY DOCUMENT 

SUBMITTED OR TRANSMITTED IN 
COMPLIANCE WITH 
RULE 17.1(a) OR (b) 



Der President des Europaischen Patentamts; 
Im Auttrag 

For the President of the European Patent Office 

Le President de I'Office europeen des brevets 
p.o. 



RCvan Dfjk 



EPA/EPO/OEB Form 1014.1 - 02.2000 7001014 





Europaisches 
Patentamt 



Ice 



Office europeen 
des brevets 



Anmel dung Nr: 

Application no.: 02257275.4 



Anmel de tag; 

Date of filing: 18.10.02 
Date de depot: 



Demande no: 



Anmel der/Appl 1 can t( s)/Demandeur ( s) : 

Koninklijke Philips Electronics N.V. 
Groenewoudseweg 1 
5621 BA Eindhoven 
PAYS-BAS 



Bezelchnung der Erf 1 ndung/Tl tl e of the 1nvent1on/Tt tre de I 1 Invention: 
(Falls die Bezelchnung der Erflndung nlcht angegeben 1st, slehe Beschrelbung. 
If no title Is shown please refer to the description. 
S1 aucun tltre n'est Indlque se referer a la description.) 

Method, system and signal for metadata and CRID protection in TV-Anytime 

In Anspruch genommene Prlorlat(en) / Pr1or1ty(1es) claimed /Pr1or1t6(s) 
revendlquee(s) 

Staat/Tag/Aktenzelchen/State/Date/Rle no./Pays/Date/Numero de depdt: 



Internationale Patentklasslf Ikatt on/International Patent Classification/ 
Classification Internationale des brevets: 

H04N7/24 



Am Anmel detag benannte Vertragstaa ten/Contracting states designated at date of 
flUng/Etats contractants designees lors du depot: 

AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LI LU MC NL PT SE SK TR 



02257275.4 

EPA/EPO/0EB Form 1014.2 - 01.2000 7001014 



2 



18.OkT.2002 11=58 PHILIPS CIP NL +31 40 2743489 ^ MR 701 P ^ 

1 18.10.2002 

Method, system, and signal for metadata and CRID protection in TV-Anytime 

As the number of channels available to television viewers h»« \nt*n*~ ca A 
along with the diversity of the programmes S»nteTav^nS on *SSS ft • 

^^ m J^ a jV^ en ^ f0r te ^°n viewers toTdaXSion - 

ffiSTL^i 1 ^ 2rtS* te ! eviston viewers Wei^televlSp^Sms of 
interest by analyzing printed television program guides. As the number o? television 

SSSSZJST^ * h9S b f ! COrtie '"^singly dflfaftto S^ d S 
desirable television programs using such printed guides laemny 

ft,m,^^SIS, re ? ntIi i J 9 ' 67181 ?" Pn>9ram guides have become available in electronic 
5SSiJ?5t?Si to 3S eI !?° nto P«9ram guides (EPGs). Like printed %SS«m 

E 5?JS mpIfe !! h f ow wvtewftom metadata that accompanies the 

^^M^SlTK^ t !^ forCOntsnt tems * callable froma^artety of 
sowces. Metadata can be included with a broadcast stream, e.g. as MPEQ-Ztabies 

a> ?pSn^ m ^¥ mal dabba6 ^ For example, a tele^ton^eSor ' . 
^fSv ! i^' 9 ^ RBro ^!fJ rn ?„ y 08 prDVlded wltn an ,nte ™et connection, which allows - 
the device to access metadata made available over the World Wide Web 

^ nn ™f JlSfl 9 ^ 9!J e r ralI y comprises information such as title, artist/genre and 
so on. and may also contain a unique content reference identifier (CRID) sometimes 

SLS ^" 1, ffl dent, 2 ed - Fur4he '' usi "9 me GRID further Irribmiatio~ an be . 
wisnes to see ftom the EPQ. even though the time and place of broadcast are not 

IS'IS °?f?' ^ then retrieve to^ tt e anSlf" 
broadca^ of^e content item when this information becomes available 

~w ♦ . 5S ,D 18 '? r f 5 lc!ed to broadcast transmissions of content It could also 
^° a '^X°" fhe , ^ et ' orto a «y other source. The purpose ToV cogent 
solution Is to allow acquisition of a specific instance of a specific item of content 
Forexample a user may want to record an episode of a television Tse^b™ he 
does .not necessarfly know when and where that episode will be^mTlvailable He 
Xp^Im^ 8 ^S" 9 ' *®V reco,?der (PDR)orsimllardevTc?S enteVa 

SK^t^S^ °; series "V means of tne CR,D - N °te *«t a crid may 
referto an entire sense or to an Individual episode thereof. • 

w^^^ 9 reCe ^ d u a CF ?£. for a content Hem, the PDR tries to obtain the 
ao 52?? of fn ® c ° ntent ?em. This information is called a locator and it contains the 
40 date, time and channel on which the content item wfll be bn^dcart The user 

ESS^E^T^ aw f1 of * fe - Once the PDR has obtemed me locator 
^S^lL^ ? e P ? R jr aits for *• specified date and time and then records 
-^2®^? aS « ,S bro l dca »t on the specified channel. Of course If toe locator 

45 content £om the indicated location as soon as it becomes avaHabl™ 

Rata^Tin^! S ?5i!S!? a, S tZaHon provldes a standardized Content 

*Gc^'t Refe^H^X* Fo ~ m ^^nvtime.org. Specification Series: S- 
^^^^/^iK ,rrnatfve )' Document SP0Q4V11. 14 AprU 2001. 

The <authority> field Indicates toe body that created the CRID. An authority 
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wiR also provide the ability for the CRID to be resolved into locators or other CRIDs. 
A locator Is the name for locations in time and space of content The <data> field is a 
free format string that is compliant with the definition of Uniform Resource Identifiers 
(URIs) as given in RFC 2396. This string should be meaningful to the authority given 
5 by the «authority> field. 

The CRID is used for location resolution, which can be defined as the process > 

of translating a CRID into other CRID(s) or locators. For instance, a CRID for an 
entire TV series could be translated into a series of CRIDs for the individual 
episodes of that series. Location resolution may be done in the recording device 

10 . (typically a Personal Digital Recorder or PDR) or remotely. A resolution provider 
does location resolution. Resolution providers use resolving authority records 
(RARs) to be identified and located. A RAR includes at least an <authority> field, 
corresponding to a body that creates CRI Ds. 

A RAR also contains a URL and the resolution provider name. The URL 

15 points to the location where resolution information can be found. The resolution 
provider name contains the name of the body that is providing location resolution. 
These RARs are made available to PDRs. 

Fig. 1 schematically illustrates the process of content resolution. A Personal 
Digital Recorder or PDR is instructed to record a content item identified by a Content 

20 Reference Identifier CRID. Instructing the PDR to record a content item, or in other 
words scheduling that content item for recording can be done in a variety of ways. A 
presently common way is that the user manually, indicates, e.g. by selecting the 
content item In the EPS. that the content Hem Is to be recorded. It will be readily 
understood that part or all of the functionality ascribed to the PDR below could also 

25 be incorporated into one or more other devices, such as television receivers, set-top 
boxes or personal computers. 

The PDR. or another device to which the PDR is connected, may be equipped 
. to determine kinds of content items that the consumer may be interested In. This is 
. known as user profiling or recommender systems. By keeping track of content Items 

30 . which the consumer views, and employing an implicit and/or explicit rating system 
for Such content items, it becomes possible to predict with varying degrees of 
accuracy which other content items the consumer maybe interested in. it then 
becomes possible to automatically record content items which are likely to be of 
Interest to the consumer. Such content items could then be recorded by the PDR. 

35 Many techniques for user profiling are known in the art When the PDR determines, 
using user profiling, that a particular content item may be of interest, it schedules the 
content item for recording. 

The CRID for the content item is used to facilitate automatic recording of the 
content item. The CRID could be entered manually by the user, or be the result of 

40 selecting a content item through an Electronic Program Guide. This second option 
assumes that the CRI D is somehow provided to the PDR together with other 
metadata used in the EPG. Alternatively, if the CRID is not known by the user or by 
the PDR, the user could perform a search using far example the title of the content 
item in a metadata database, and select the desired content item from the search 

45 results. The CRID is then supplied to the PDR by the search engine. 

There are many other ways to provide the CRID to the PDR. For example, a 
bailer or preview for a movie could be broadcast with the CRID embedded in the 
content of the commercial in some way <e.g. a watermark). The user could then 
press a button on his remote control, television or PDR. The PDR or television then 

50 extracts the CRID from the content 

Once the CRID for the content item is known, the PDR tries to obtain locator 
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3 18.10.2002 
information forthe content Item, using the CRID as input This locator information is 
not necessarily always available. For exampfe, the GRID may refer to a movie Sat 
has only recent* been released in movie theaters. This movie Is not likely to be 
broadcast on television in the near future, so it cannot be scheduled usinq EPG 
5 information. In such a case, the PDR should regularly try to obtain the locator as the 
K ^o™y ^eavallabfe later (e.g. a year lator.when the movfe Sato be 

*TtT TJ^-nS^ C 2 ,D ^ Uld aISO ref6rt< > ^ TV series, which is then resolved 
into a number of GRIDs for Individual episodes of that series. It Is possible that ho 
locator Infoimation is available for some episodes. Here the PDR should also 
10 regularty retry to obtain the locators) for those episodes 

The process of translating a GRID into otfier CRIDs or locators Is known in 
W-Anvtime as location resolution. Location resolution involves mapping a location- 
independent content reference (the CRID) to its location In time (e.g. scheduled 

t « ,n I brt5a . dca ? s y slem > and s P ace TV channel. IP address). 

IS as explained above these locations in time and space are referred to as "locators - 
The process of location resolution may happen Inside the PDR or by using a " 
physically remote server, such as a server on the Internet 

To the PDR, the CRID essentially contains opaque information, which it 

™ < ^ at rss S ve , to a Jfcf «°n without external assistance. ^Resolution Provider (RP) 

20 which provides locator information for CRIDs is provided to solve this problem 

Usually mulHpte RPs are available, and.the PDR must know which RP to use for a 
pmeular GRID. Often, this is the same body that created the CRID. The name of 
the authority la presenl : in the CRID in the <authority> field, as explained above. This 

» T^l^^HH^ e i 0mi * 0f a |^ rstered ,ntem€ * domain name. It Is possible for 
25 an to be found on the Internet using the domain name resolution process 
specified in the TV-Anytime specification SP004. 

... _ £ach RA will require one or more Resolving Authority Records (RAR> to exist 

nJ£ft«?« ££^£ Mkm !?^^P ,ace - Each resolving authority record will 
™ ™ ♦ °£ 6 P |a f^i ns,de s °me sort of transport specific container which allows the 
° PD £ J^T SSL*' 8 18 a **** ,n *• <*» of mu '«Pte «coras for the same 
SfSSK" ^ JKL?? 1 ttK HSHf uk U8e one of them, or try them all in turn. The 
ResolvirtgAuihonty Record (RAR) contains the Information that identifies the RAs 
where content reference resolution Information can be found. 

« rsm SliXS P £ R determin J as ^ich RP to use to resolve a particular 

35 CRID. The PDR then submits a request for a location accompanied by a CRJD to the 
Resolu^on Provider In question. In response to this request, the Resolution Provider 
SSlI^H!? lo £^ r fnformation (assuming this information is available In that RP, of 

SSSJlI £55 °t n then ac£ ^ ss 0,6 ""ten* source and obtain the content item. 
Af% A owrtent item may have more than one locator, for example If it is broadcast 

/Ti!? p, !_ times or available from multiple providers. The PDR may then choose which 

locator to use. or prompt the user to make a selection. 

^^Cjwe the locator information has been obtained, the PDR waits forthe 

mmema date and time and then records the episode as it fs broadcast on the 
a* ™ nneL ° fcourse ' ff totter indicates a location on the Internet orthe 

45 {flee, the PDR cart simply retrieve the content from the indicated location as soon as It 

becomes available. • 

^f«r-n— iJfni Ite , ms fo fw h ' ch 'ocator Information is available can be recorded by 
^he-rDr* atthe appropnate moment. To this end. the PDR may comprise locat 

sroi^^suclraaa^ufficientJy large hand disk, and/or a device such as a DVD+RW 
50 wrfter, The storage on which content Items are stored needs not be local to the PDR 

bat-may also be an external device such as a hard disk or a fife serveV^nnected to 
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the PDR via a home network. Once the content items have been recorded, they can 
be played back at anytime until tfiey have been erased. 

TV-Anytime information and services ]2]i3][43 are valuable so protection of 
this information is important When considering the type of protection that Is needed. 
5 first the situations that are to be prevented should be identified. 

The first example in which protection Is needed is the case where TV-Anytime data 
and services are provided as a sen/Ice. in this case, one wants to prevent 
unauthorised parties to access to this service. Only authorised parties should be. 
. allowed to access the data. In other words, the service and/or data should be placed 
10 under access control. 

The other example regards the issue of source authentication and spoofing; 
the integrity of the data is to be protected. When TVA data is received from a source, 
the receiver may want'to check if the data is Indeed coming from the expected 
source and hasn't been changed by a third party. 
15 • There Is an incentive for a third party to try this. If a third party can change the 

metadata or CRID table, it can make the PDR record other information then was 
intended including commercials, trailers or just other content 

This is also very annoying for a user and may lower the trust the user has In 
the system. This brings us to another level of authentication. The PDR may want to 
20 check whether the content came from a trusted source. If the data can be 

authenticated to originate from one source even when it is distributed using different 
channels, the PDR can use this to make a choice when confronted with multiple 
sources of the same content.- An example of this is when the data of a certain BBC 
' show can be authenticated as being generated by the BBC, this raises the likelihood 
25 that this information is correct. 

From this discussion, we can conclude that there is an incentive for service 
! providers and box manufacturers to use access control and integrity checking 
. mechanisms, The approach towards access control and protecting the data integrity 
of TV-Anytime data will also be handled. 

30 . 

[1] TV-Anytime document WD659. Final report of RMP WG, RMP working group, 
September 2002 

|2] TV-Anytime document WD647/SP003v1 .3 Part A, Specification series S-3 on 
Metadata: Part A Metadata Schemes. Provisional Specification, Version 
35 1.3. 27 September 2002. 

|3] TV-Anytime document WD647/SP003v1 .3 Part B, Specification series S-3 on 
Metadata: Part B System Aspects fn a Unidirectional Environment, Working 
Draft Version 1 .3, 2 August 2002 
[4] TV-Anytime document SP004V1 .2, Specification series S-4 on Content 
40 Referencing. Version 1 .2. Final Specification, 28 June 2002. 

[5] Provisional TV-Anytime document SP00Gv0.1 , Specification series S-6 on 

Delivery of Metadata over a Bidirectional Network, 10 October 2002 
[0] ISO/IEC 1381 8-1: 1996(E), information technology'- Generic coding of 

moving pictures and associated audio Information: Systems. First Edition. 
45 1996-04-15. 

[7] ISO/IEC 1 3818-6:1 998, Information technology -Generic coding of moving 
pictures and associated audio information: Extensions for Digital Storage 
Media Commandanti Control, 1998. 
[8] ETSi TS 102 812 VI . 1:1 (2TO1-H ),, Digital VidBo Broadcasting (DVB): 
50 Multimedia Home Platform (MHP) Specification 1 .1, 28 June 2002. 

(9] RFC3275, (Extensible Markup Language) XML-Signature Syntax and 
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Processing. 

[IQJApplied Cryptography Second Edition: protocols, algorithms, and source code 

in C, Bruce Schneier, Wiley, 1996. 
[1 1] RFC2396, Uniform Resource Identifiers (URI): Generic Syntax. 

5 » 

If me PDR operates In accordance with a Digital Rights Management system 
then a content item may be erased when the rights associated with the content Item 
require such erasure. Also, some content items may not come with a right to record 
10 the item at all, or with a right that permits viewing only for a limited amount of time or 
for a limited number of times. The PDR should then erase the content item when the 
limit is exceeded, or refuse further access to the content until further rights are 
- obtained that permit further access. 

Using the above approach, anyone knowing the location of content could act 
15 as a resolution provider. Content and service providers, however, may desire that 
oniy authorized resolution providers perform content resolution for their content, for 
example to be able to protect their reputation. On the other hand, for consumers and . 
PDRs it is important to be able to rely onanist the CRID authority and resolution 
provider, so that they can obtain the correct content 

20 - So, it is desirable to enhance the above approach so that at least one aspect 
of the CRID and/or other metadat and/or me resolution process can be protected 
This protection preferably Involves data origin authentication or integrity protection, 
but can also involve protection against unauthorized access, or maintenance of 
confidentiality. 

25 

Access control can be used in Older to make sure that only authorised clients 
can access the services. Of course, it should be impossible (or very difficult) for 
unauthorised clients to access the data. Whether a client is authorised is determined . 

30 by the service provider. Furthermore, different models for accessing the content can 
be introduced. Examples of such models could be that there are several different 
levels of service that a client can buy. The basic model will just give information 
regarding the content of a few channels over a limited period of time. More advanced 
models will provide access to a larger range of services and span a lonqer time 

35 period. 

The models described in the previous paragraph are very similar to the 
models used by pay-TV operators. Only authorised users (subscribers) are allowed 
access to the content Furthermore, the level of access you get is dependent on your 
subscription. Similar systems exist on the Internet, where they are called DRM 
40 systems. 

Although the level of standardisation Is different in both cases, the model 
shown In Fig 2. for secure delivery of TV-Anytime content to a client applies to both. 

The content is received in the client box. During transport, toe content is 
encrypted. Before the content can be accessed, the content has to be decrypted. ■ 

45 This process is controlled by the DRM orCA system. 

The TV-Anytime specification distinguishes between two different distribution media: 
unidirectional and bidirectional. In the unidirectional situation, TV-Anytime data is 
another stream In the broadcast stream with the normal signalling in place, in this 
case fee access to this stream can be protected using traditional conditional access 

50 systems. This would mean that the stream broadcasted while scrambled. Using the 
normal signalling methods defined for the transport mechanism, the conditional 
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access system is identified and the messages carrying the conditional access 
information related to this stream are Indicated. Most digital broadcast systems use 
the MPEG-2 transport stream format [6J. 

in the bidirectional case, a point to point connection Is made between client 
5 and server. This process Is described in [4]. In this case the DRM system will open a 
secure channel to the service provider and tunnel the communication described in 
[4] through this channel. In this way it will ensure that only authorised TV-Anytime 
clients can access the content 

Although existing CRC mechanisms In the broadcast system will deal with 
10 transmission errors, it remains wishful to detect intentional changes and to 
authenticate that the information was generated by the claimed source. 
As is apparent In the previous discussion, applying conditional access upon TV- 
Anytime services can be achieved using protection methods. 

It Is. described how TV-Anytime data integrity can be protected. Any TV- 
15 Anytime data integrity approach is closely linked to the way the data Is delivered. 

Furthermore, the analysis provided indicates that two different levels of data integrity , 
are needed. 

The first level of Integrity relates to the service provider that delivers the 
metadata. The Intention Is to validate whether the data has not been changed during 

20 transport between resolution provider and the client. 

The second level of integrity relates to the validation of the actual source of 
the Information. The source of the TV-Anytime data is not always the creator of the 
data. The source could be a service provider gathering and grouping information 
from different sources. It could be useful to check who created to date and whether 

25 the date has been changed. In this case, the data that is received will hold parts 
provided by different sources. 

It. is an object to protect the integrity of TV-Anytime date during delivery, in the ' 
case thedate Is also protected by a conditional access or DRM system (Section 3), 
delivery integrity protection is easy. When the TV-Anytime data is delivered under 

30 control of a conditional access or DRM system, these systems ensure that only 
authenticated clients can access the data. As this involves encryption of the date 
during delivery, this process also authenticates the source of the information. 
When the content is not protected by such systems, other mechanisms can be used . 
The standard cryptographic approach to protection of data integrity is to sign the 

35 data use cryptographic techniques ESQ. 

In a unidirectional broadcast scenario, a reasonable argument can be made 
that it Is sufficiently difficult to change the broadcast stream. Although this Is a valid 
argument, in some situations additional protection may be needed, by adding 

mechanisms to protect the integrity are part of the delivery system, such as a system 
40 to sign files with the data. 

Inthe situation that such mechanisms are not available or a different 
mechanism is need, the proposal indicated in this chapter can be used. 

When studying the TV-Anytime specifications [2], [3J. [4] & [6], the following 
types of data are identified: metadata and CRIDs. Furthermore, as TV-Anytime 
45 defines two different delivery mechanisms (unidirectional [3] and bi-directional [5]). 
care has to be taken not to propose any mechanism that wou Id break these existing 
specifications. 

All TVA metadata is provided as TVA fragments. In TVA, accortiingto j2J a 
TVA fragment is "a self contained atomic portion of the metadata". In this document. 
50 we assume that the smallest TVA metadata element that can be signed is a 
fragment. 
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JH52f a ft y? n L or i*? ** ^mente several issues need to be 
£2£ T£? 7f5 0d f • hou " a! ow for different forme of encoding (BiM, text). 

SKm^^^ b «? *• unidirectional 

« f 2JKf° S5S bWlrectonal distnbutlon system. Furthermore, the level of change that 

nrlii HESfEff ,mp0Se UP ° n metadata specification should 

preferably be limited. 

JUS ♦? S ! rib f Jtrt 2: wn ® n ™ etada ta changes hands, more than one party may 
want to appW/ their signature to the same fragment so the system should preferably 

10 ^^^f^™™'? - is ,lkef y *"* for ^ency^onsrtfer^iradto 
10 sign a set of metadata fragments Instead of Individual fragments. Concluding the 
system supports signatures over single or multiple fragments ^ onauo,ng - me 
When considering these requirements two approaches can be considered- 
1. Add signatures and signature Information to the fragment 
tlx. 9n ^ renMS and Provid® separate signature file 
^ s ^ on one will not allow the same signature to cover more than one fragment 
we will target a system In which signatures will be provided separately andl 
referencewill indicate which elements are signed. M y a 

As all TVA metadata Is expressed In XML, a transport neutral way of 
™ f2 S !? Sa,ng s, ?!?3 tures t aWows ^e signatures to be carried in the same data 
20 ^S£ WOU,d b8 to fnc,ude * e sisnalures in the TVA schema. As W-Anytfrne 
metadata is expressed in XML an obvious choice would be xmldsig m 

^ ^ : Vy ^. t ° defin ? the ^merits that need to be signed can be approached 

[S] ftat removes some or all elements fffihe 
metadata that are not considered Ibrthis signature. Another approach is to label 
25 S^^ U l frag r n lf rs ^ of ^Smentiand sign using referent 

^ESS^ tOffi? ^ Van . tas ® tha i, when P ra Perty chosen, the reference would 
-fSSSil ^J" £f a S n f*" re fite to fragment Furthermore, the label provides 
a link between the fragments) and the date containing the signature. P rovraes 

30 explicitly 

' r> M< ? r f efebo/ate search opfions could be provided by adding signature index 
files. Such Index file would than link labels to the appropriate sfenSffiteT 

ha «h JiS. fhS'SSrS ln I 3 , & ? ]t 2*" s ^naf"res are implemented by calculating a 
hash over the content and signing the hash using public key cryptography This 

5^^^5^ lto .P^ ^ 0,1 the P^rty the appne^l&na^ 
JSr^in'S 31 '?" lt C9 T ed ,n S,9ned So in orderto Seek toe 

nSS^'jf^f* ° n te the s j9 natures date, also the certificates of the parties 
ttyfcf requIred ' We ****** to adt « an additional element to 



35 



40 



45 



TVAMain; certificates. 

According to [31 the following fragments have been defined by TV-Anytime. 



* TVAMain 

o ClassIficatfcmTable 
" CSAIias 

■ ClassfficationScheme 
o ProgramDescription 

■ PmgramfnfojmationTabte 

• Pnogramlr; formation 

■ SrouplnformationTable 
50 • Grouplnformation 
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■ ProgramLocationTable 

• BraadcastEvent 

• Schedule 

■ ServicelirformationTable 
S • Service! nfbitnation 

« CredfelrrformationTablQ 

• PersonName 

• OnganisationName 

■ ProgramReviewTable 
10 • Prog ram Reviews 

* SegmentlnformationTable 

• Segmentlnformation 

• SegmentGrouplnformation 

■ On DemandPrograrn Location 

15 

This section will define the label that is used to uniquely identify a TV-Anytime 
fragment in order to link the fragment to the signature. This is done by providing an 
optional field that is added to each TV-Anytime fragment. When present It is a 
Unique identification of that fragment instance within this instance ofmetadata, the 
20 " label should allow for easy tracing of the fragment within the metadata. This is 
■ required in order to find the different fragments that are needed Id calculate a 
signature. 

Within the TV-Anytime specification, a field called TVAID is used. According 
to the metadata specification [2] TVAIDs are used to "indicate uniqueness within a 
25 metadata description" [2], Although they seem to match the requirement for an 
* 4 identifier, they're only unique for a particular type of TVAID. e.g. a servfcelD and 
segmentlD could be the same within a particular metadata description. This could be 
enough If the reference used in the signature indicated the context (e.g. service or 
segment). 

30 I n order to support signatures, all fragments have an optional or compulsory 

fragment identification. The TVAID coufd be used if all fragments have one (or one fs 
added) and St is determined that using the TVAID a unique reference to the fragment 
can be made within this instance of the TVA metadata. 

Another solution could be that a special TVA signature identifier is added to 

35 all fragments as an optional field. Either the TVAID or a new identifier is defined for 
this purpose. When the TVAID is used, and it is added to all fragments, the signature 
defined in this section could be replaced by the TVAID. 
An example identifier used for signatures is defined as 



40 



45 



I 



Najaxe 


Definition 


TVASignatureTdType 


A simpteType used to add axt optional 




Identifier to each TVA fragment that 




uniquely identifies this fragment among 
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Other fragments of the same type within this 
instance of metadata. 



In orderto beable to reference each fragment (or set of fragments! an example of ■ 
5 format for all TV-Anytime fragments could be * ««mpie or , 



10 



15 



. u i2 f 2 , 3S5 i 2? Sure * at Identifier is unique among fragments of the same 
type w*un thte Instance of metadata It Is suggested to start the identifier wim the 
maritime of the organization responsible of generating the fragment. So the 
TVASrgnatureld of a fragment published by company MyCompany coufd look llke- 



| </TVX&ierutfivxe l x& ». ■ i ■ , , • ■ . ; 

^ •• " * . i 

20 data. ^ te ^ lda,soa,,owmecnOTt ^ d ^ rtw "^ conization published the 

In xmldslgjgj, references can be used to indicate the elements grouped to 
calculate a signature. The reference is implemented as an' URI [1 11. So in order to 
ino^tewhlch fragments are used to calculate a signature, the URI to refer to the 
fragments needs to be defined. 
25 , A!tno "9 h *£ TVASfgnatureld Identifies a fragment It does not define where 
mis •fragment can be found within the total TVAMain. In order to facilitate the 
sealing of the correct fragment within the metadata, the URI should preferably 
also indicate the location. y 

*n iS? ^"i? b , e *° ?nd,ca ^ me Path through the metadata that has to be 

30 taken in order to locate the fragment (see Appendbc A). 

So the definition of the fragment URI (formatted according to [1 1]) is: 

tva:7/<path>/<TVASignatureId> 

E?i , i??. P l? ^ ^l* 3 ? ofihB metadata towards the fragment 
35 TVAID. the Identifier of the fragment 

Some examples: 

t^y/TVAMaJn/aap.org;f 32423 
^^flVAMaiiVC^ 



45 



«. ?ft* be _S?, en n fe ateo Possible to sign TVAMain. In this case, all of TVAMain 
wffhoutthe certificate and signature parts should be considered. The 
I^!?^?^ fausaq'J n URIsto refer to a fragment, as such the identifier should 
t£S!S!SI^^ f ° r I3!? n ? I S Strict ! 0n ? P' aced "P° n m Furthermore, In 
TW^naSreld ^ 1,0 m may be used ,n the 

The system described in previous sections requires that the signatures are 
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distributed and access within the normal distribution system as is ind icated by TV- 
Anytime. This can be done in two ways, one could expand the TVAMain object so it 
will include the signature information. 

Another approach would be to define a wrapper that includes the TVAMain and 
s possibly some other elements that need signing. In this way, tills specification would 
. not change the current metadata specification and it would also allow to include 
other TV-Anytime documents (e.g. ContentReferendngTabte and 
ResolvlngAuthorityRecordTable). Seeing these advantages, a wrapper format has 
been defined (TVASignatureWrapper). 
10 This table will provide a grouping between the data that is signed and the list of 
signatures; the TVASignatureTable 



15 



20 



25 



30 



35 



<attributj« naate f »i'T«SWs49.»' ' ■ • ■ 

<«tfejriA>wt* name*" Cone«l>isfmfersnpii^T4ls3.e« 
«attrttrate B*BCsivipgpfk.«t;]!WirityH««ordTatJlpn 

type- ■ tya, : iTOPigMtwxoS'ak JctFype n uBe-i'rsgulrftfl"/*' 
cattirttaipfi flaBje-pjte^fT^flTSis^e" . ; ^..J.,.. „.' m i . 

i 

•u^ttriftute nTO^-^vflxsion^i fcypew" integer Uaewncaptieiaal*/> 
^attribute r«£*«3crpl;Jang n flpJwlts-neni» uae- "optional */> 
^attribute name w ^pubj i a har " type» w ptring» ueete»ppiii0n*l*/> 
attribute pajpe-Ppubjiic^fcicmTiinfl* typeandsfceaTtme* w*e>» n ©ptiojw*I']/> 
■sattrifcute naj^ ffrlgkt sowpr-r w type-' 3£rlsg •» pse~*aptipBaj.V> ( 
-saifctriJmte jiaroe^copyrishfcNoticeo types" string p , use* * options 



Name 


Definition 


TVASignatureWrapper 


A complextype hold TV-Anytime data and 




the accompanying signatures. 


TVAMain. 


A TVAMain instance holding fragments that 




have been signing by signatures in the 




Signatarelist 


CkjntmtReferencmgfTable 


A ContentReferencingTable that has been 


signing by signatures in fhe Signatarelist 


ResoIvingAu&orityRjBcordTable 


A ResoMngAuthorityRecotdTablo that has 




been signing by signatures in the 




Signatarelist 


SignatoreTable 


The hBtrwith signatures of data elements (see 




text). 
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Keyln&Table The list -with KeylnfbWrapper objects (see 

• text). 



V&raxQxx Specified the version of the description 

XiaL i larig Specifies the language of the description. 

Pettis 'English,' 



Publisher Specifies the name of die publisher of the 



PufclxcationTime Specifies the time the metadata description 
was published. 



RightsOwner 



to 

the description 



CopyrlghtNotice Specifies the copyright information for the 

description document. 

In this table, also the option is given to include the ContentReferencingTabte 
and ResolvingAuthontyRecordTabfe in this table. As they can only occur once, no 
"fragment identifier" Is needed in the table as well for definition of the URI. 



««'l«nt$nt ja&Bfc-psigiwtewe" 

maxOeours- 0 unbaunded'7 > 
</sequencs> 



Name 


Definition 


Si^uatureTableType 


A complextype that contains a list of 




signatures 


SigaatureList 


A list of signature information elements as 




specified in text 



15 As can be seen, 0 or more signatures can be present This brings us to what 

information is available. In the ideal world, all signatures available for the data 
indicated in TVASIgnatureWrapper are Included and all fragments that are indicated 
in the different signatures are present 

In the bi-directional delivery system, this could be different as only the requested 
20 fragments are present As these Issues are very delivery system dependent, they 
should be handled in future versions of the respective specifications. 

In order to check the signatures, a public key is needed. Distribution of this 
key can be done in several ways. The can be hard coded in the devices but this 
would raise problems If new keys are used or when current keys are compromised. 
25 The most common way of distribution of the keys is by incorporating them Into a so- 
called certificate-chains [10J. TVASignature allows the Inclusion of one or more 
ds:Keylnft> objects In order to support the carriage of such certificates within the 
TVASignature wrapper. 

A comptextype Indicating a list of Keylnfo objects with accompanying 
30 identifiers. 
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10 



type*** Sfcy^*W*&pp*rt>£fc n minO«iw*"0 n 



Name 


Definition 


KeylnfoWrapperType 


A complextype that contains the signatures 


■1 


present in this TVAMain 


Identifier 


A unique identifier of tins Keylnfo object 


Keylnfo 


The key in&mnatioiL (see text). 


KeylnfaListTableType 


A list ofKeyinfoWrappers. 


KeylnfcWrapper 


A Keylnfo with identification. 



15 In order to be able to refer from a signature to Keylnfo elements In the 

KeylrrfoWrapperTable from the Signatures, the reference URI needs to be defined. 
This URI is similar to the one defined in section 4.2.2. 
So the definition of the URI (formatted according to [1 1]) is: 
tva://KeylnfoUstTabIe/<ldentifier> 
20 Identifier, the identifier Indicated in the KeylnfoWrapperType. 

Some examples 

tva:// KeylnfioListTable /132423 
tva-7/ KeylnfbLlstTable/435432h 
25 iva-y/ KeylnfbListTable /MyKeyinfo 

This allows the inclusion of certificates but also of other options of communicating 
Keylnfo objects and indicates how they are linked to signatures. 

We state how TV-Anytime signatures are made, the process and what part of 
30 xmldsig are used (and not used) fn TV-Anytime. 

It can be specified, for example, that DSA is optional and RSA required. 

As is explained In the xmldsig specification, text can be coded In many ways. 
In order to calculate the signature, one defined representation of the document has 
to be defined. This process is called cannollzation. 
35 Within TV-Anytlme, BIM is used as a binary codex for the binary encoding of TV- 
Anytime data. When BIM encoding is used, BiM should be indicated as the 
cannofizatlon function. This would allow the client to use the BiM encoded files to 
calculate the signature values without the need of extracting the data first 

Signatures can also be used on the different tables. Signing individual CRlDs 
40 Is more difficult 

In an embodiment of the invention, digital signatures are used to sign the 
content of the CRID. Only properly signed CRIDs will be accepted by the PDRs. 
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°ff be trusted to o^ 1 ^ Item a trustworthy authority. It does not 
protect against incorrect resolution of the CRID. Having correctly veriLd the • 

* I ^,^ S -^ rrect ' *• PDR snouW to obtain a locator for the oarrtert : uSno 
5 me CRID Thus, content and service providers can be sunTthS p££ZmoX 

atws froS to d^ hen l 0 C ^ SA ^rther advantage of this as^S St this 
aSe^ Sfn <* such a <™> would 

10 CRin i^ 9 JH^!^ CR iP s h« to fa e done without changing the 

Se^ Furtne ™ore. the amount of information fs small, making the protection 

«^ r-J^B add s, 9 natures to ^dividual CRIDs is by adding them to the end of 

15 As the amount of information that can be added to a CRID Is limited, onlythe core 
can be specified. Furthermore, due to the size of the CRID, no hashing is needed 
^ ^.S natu i ie J 5an bB directly calculated using a PKI algorithm. 
The CRID Is redefined using the following syntax: 
The syntax of a signed CRID is: 

20 CRTO://<^i^o/#y>/<£^ 

Si!S!?r fty> {Jse& tne 7V " lA '^n© authority naming rules given in section 7 of 
SP002 to assure uniqueness. 

<data» |s a free format string that Is Uniform Resource Identifier (URI) compliant 
25 and is meaningful to the authority given by the <authority> field. The <data> portion 
orine CRID is case insensitive. nwruun 
<siwiaiureAuthority> Uses the TV-AnytimB authority naming rules given in section 
7 of SP002 to assure uniqueness. The signatureAuthority indicates the parly that 
defined the algorithm and manner of calculating the signature. 
30. <signature> The signature value of this CRID calculated as defined by the 
signatureAuthority. 

More than one signature can be applied by resigning the signed CRID. Some 
or all of the previous signatures can be included in the competition of a new 
35 signature. This could be Indicated using another additional field, for example 
separated by one of the other (reserved) characters. 

Some examples of signed CRIDS are:. 

CRlD^/c«mp,com/3874y32&comp.com:32843829l 74 
40 c RID^/broadcast.com/1.4.5&slgn.com:7asd7ead7 

A«^«atfori of this method, it is possible to use a different URL type to represent a 
stpMCSRID. An example of this variation is: ■ 

45 SCRID://comp.corn/3874y32&comp.com:3284382gi74 

gifl g^. 0ro ' erS and different characters could be used to comprise the new signed 
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Also, a restriction could be added that indicated markers may not be used in me 
data part ("&" and";"). 

The measures used in the above embodiments can be used individually, but 
these measures could also be combined to provide for better protection, or for 
protection against multiple threats. 

It should be noted that the above-mentioned embodiments illustrate rather 
than limit the invention, and that those skilled in the art will be able to design many 
alternative embodiments without departing from the scope of the appended claims. 

In the claims, any reference signs placed between parentheses shall not be 
construed as limiting the claim. The word "comprising 0 does not exclude the 
presence of elements or steps other than those listed in a claim. The word "a" or "an" 
preceding an element does not exclude the presence of a plurality of such elements. 
The invention can be implemented by means of hardware comprising several distinct 
elements, and by means of a suitably programmed computer. 

In the device claim enumerating several means, several of these means can 
be embodied by one and the same item of hardware. The mere fact that certain 
measures are recited In mutually different dependent claims does not indicate that a 
combination of these measures cannot be used to advantage. 

Of course, the techniques above can also be used outside the scope of TV 
anytime. 
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CLAIMS: 15 1S10 - 2002 

as f gnaI?re methOd 0fC,aim 1 ' ' n Which 4,16 protecttor i of metadata Is performed using 

«a 3 ." , Themethodof dalm 2, in Which the sections which are croterteri n*i«« » 
10 signature are identified with a unique identifier protected using a 

Lnatn^retel^ SSSSF * Pr °^* ,nto a <~ 

* „ 3? S m ?S3 od of ^? m 1 - ,n ^i 0 " a transform function is used to select at least 
one section of the metadata that has been signed ctaiieast 

Lrf «U e "S* %h0d of Jl a, " m £' ln wnfch tne ""'que Identifier contains at least one 
stast-ffeJd and one end field fbrthe Identified metadata 

8. The method of claim 1,in which certificates are used to verify the signature 

f- .. . * Wem that handles potentially protected metadata, further characterized in 
S SnSS 11 " 9, 2 nd encryption, decryption, and verification of praS 
metadata, substantially as described in this document H 

30 s2n atu ^tSsa a 3S da,a ' , ' nc,u * 9 o"" 0 " 81 addlH °™* "*»«™ ™d 
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20 



25 



35 



11. A method of providing a content reference identifier CRID charaeteife-eri h« 
applying a measure to the CRID, to a locator obtained^resoMnq tte CR^frXr 

as to obtain said locator, to provide for authentication of at least one aspect thereof. 

IL^lZ^ftfrf^ 1- whereby measu ^ comprises computing a digital 
signature over at least part of the contents of the CRID, the locator and/orthe RAR. 
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ABSTRACT: 

This Invention concerns a method, system for the protection of the Integrity of 
TV anytime metadata, and a signal carrying such protected information accordingly, 
s Protection is obtained by applying a signature and certification approach. Optionally, 
an additional step of carmoltzation or a transform function is used. Metadata can be 
labeled with a unique identifier so they can be referenced and separately signed 
individually or as a set by several different parties. 



10 Fig. 1 
Fig. 2 



|D050t97 =Tg-Oet.-02^t/»V0' 




EjgBgEffiggaiBlB 



1B.OKT.2002 12=05 ^PHILIPS CIP NL +31 40 2743489 NR.701 P.24/24' 




